Transaction signature for offline payment processing system

ABSTRACT

Preventing fraud during an offline transaction by encoding a randomly-generated card verification code onto a smart card. The verification code is transmitted to a contactless device during each transaction, wherein it is cross-referenced with the account number to ensure presence of the card. Also, every transaction record is signed by an access key resident on the contactless device and certified by a signing key resident on a remote system. Funds may be deposited onto the card when the contactless device creates a deposit request, signs the request using an access key and transmits it to the remote system, which in turn processes the request and certifies it with a signing key. Funds may be withdrawn when the contactless device creates a withdrawal record and signs it using an access key. The remote system verifies the signatures and certifies the records using a signing key when the records are later transmitted.

TECHNICAL FIELD

The present disclosure relates generally to near field communication(NFC) enabled smart cards and offline processing of purchases. Moreparticularly, to methods and systems for preventing fraud during offlineprocessing of purchases using NFC smart cards.

BACKGROUND

Near Field Communication (NFC) is a proximity communication technologythat can enable contactless device payment technologies and that issupported by the Global System for Mobile Communications (GSM)Association. Radio frequency identification (RFID) is another wirelesscommunication technology that can be adapted to enable NFC smart cardpayment technology. NFC communication generally is conducted in a rangefrom about 3 to about 4 inches. Such short communication distancesenable secure communication between close field proximity enableddevices. In operation of an NFC transaction, a user “taps” a device,such as an NFC-enabled mobile phone or NFC-enable smart card, to areader. The reader recognizes the NFC-enabled device when the device ismoved within range of the reader, establishes a secure communicationchannel with the device, and initiates a payment transaction between thereader and the device.

Smart cards are devices with an embedded integrated circuit (forexample, a microprocessor and/or memory) for use as storage of data.Smart cards typically are credit card sized electronic devices that havea variety of uses and can be utilized in any transaction that involvesthe exchange of data or information. Smart card technology has beenparticularly useful in financial transaction systems. Smart cardsgenerally do not include a data entry device for direct entry of data.Instead, a smart card is used in conjunction with a card reader and/oran input device. Traditionally, a smart card is linked to a financialaccount or contains financial account information. Consequently, whenthe smart card is used, the reader receives the financial accountinformation and conducts a debit transaction from the financial account,requiring network access to process the on-line transaction. Suchconventional smart cards are inoperable when access to a network or tospecific computers on the network is not available.

Fraud is an ever-growing problem with the use of smart card technology.For instance, a malicious user may rollback the balance on a smart cardto a previous saved state, thus removing withdrawal transactionsoccurring after the last saved state. Also, it may be difficult for themerchant or financial institution to verify that the actual cardholderis authorizing the smart card purchase. Because cards may be produced inbank card number (BIN) ranges, not randomly generated numbers, it ispossible for an attacker to obtain one good card number and generateadditional valid card numbers by changing the last digit(s) of the cardnumber, thereby allowing an attacker to use someone else's card. Commonmethods to combat fraud include requiring submission of a copy of thephysical card or of the three/four-digit card verification number (CCV).The CCV scheme, for instance, was established by credit card companiesin efforts to reduce fraud for internet transactions. However, the CCVnumber is printed on the face or backside of the card and is limited bythe number of possible three/four-digit combinations.

SUMMARY

In certain exemplary aspects, a method of preventing fraud for offlineprocessing of purchases can include a contactless device thatfacilitates automatic, convenient, and secure communications with asmart card. Upon activation, a smart card is encoded with a cardverification number that is randomly-generated by a remote system. Theuser taps the smart card in the contactless device's radio frequencyfield. The contactless device and the smart card establish a securecommunication channel. Once a secure communication channel isestablished, the smart card transmits its card identificationinformation, which comprises the card account number and the cardverification number, and the transaction history to the contactlessdevice. The contactless device may transmit this information to theremote system to confirm the identity of the smart card and analyze thetransactions.

Every deposit and withdrawal record is signed by a session accession keyresident on the contactless device. A session begins when a merchantsigns into the contactless device and ends when the merchant signs out.An access key is may be a symmetric key, which is derived from a masterkey using a session identification number. The master key is maintainedby the remote system and the access key is transmitted to thecontactless device when a new session is begun.

The user may deposit funds onto the smart card using the contactlessdevice, wherein a merchant operating the contactless device enters thedeposit information onto the contactless device, creates a depositrequest, signs the deposit request using an access key and transmits arequest to the remote system. The transmitted request comprises the cardidentification information, the access key signature and the amount ofthe deposit. The remote system confirms the identity of the smart card,processes the request, certifies the request using a signing key andtransmits a deposit record to the contactless device, which in turntransmits the deposit record to the smart card.

The user also may withdrawal funds from the smart card using acontactless device, wherein the contactless device confirms the identityof the smart card and determines whether the smart card has a sufficientbalance available. The contactless device reads the current sum ofdeposits and the current sum of withdrawals from the smart cardmonotonic counter and compares these sums to the sums calculated usingthe transaction history. If these numbers match, the contactless devicecalculates the smart card balance by subtracting the sum of withdrawalsfrom the sum of deposits. If the balance is a number greater than orequal to the current transaction cost, the transaction is authorized. Ifsufficient balance is available, the contactless device creates awithdrawal record and signs the record using an access key. Thecontactless device then transmits the signed withdrawal record to thesmart card. The contactless device also stores the signed withdrawalrecord and the smart card transaction history until it has networkaccess. At that time, it transmits the transaction history to the remotesystem. When the transaction records, together with the appropriatesignatures, are transmitted to the remote system, the remote systemverifies the signature to ensure the transaction records uploaded aregenuine and certifies the record using a signing key. The remote systemmay also calculate the sum of all the transactions transmitted to verifythat the quota is not exceeded or synchronize the transactions toidentify missing records or errors.

These and other aspects, objects, features, and advantages of theexemplary embodiments will become apparent to those having ordinaryskill in the art upon consideration of the following detaileddescription of illustrated exemplary embodiments, which include the bestmode of carrying out the invention as presently perceived.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram depicting a system for processing an offlinepurchase initiated by a tap of a smart card with a contactless deviceand/or card reader according to an exemplary embodiment.

FIG. 2 is a block flow diagram depicting a method for processing adeposit of funds to a smart card via a contactless device according toan exemplary embodiment.

FIG. 3 is a block flow diagram depicting a method for depositing fundsto a smart card via a contactless device according to an exemplaryembodiment.

FIG. 4 a is a block flow diagram depicting a method for creating aremote system user account for association with a smart card accountaccording to an exemplary embodiment.

FIG. 4 b is a block flow diagram depicting a method for activating a newsmart card without associating the smart card with a remote system useraccount according to an exemplary embodiment.

FIG. 5 is a block flow diagram depicting a method for processing awithdrawal of funds from a smart card via a contactless device accordingto an exemplary embodiment.

FIG. 6 is a block flow diagram depicting a method for determiningwhether a smart card has a sufficient balance of funds for a withdrawaltransaction according to an exemplary embodiment.

FIG. 7 is a block flow diagram depicting a method for synchronizingsmart card transactions on a remote system according to an exemplaryembodiment.

FIG. 8 is a block flow diagram depicting a method for identifying asmart card according to an exemplary embodiment.

FIG. 9 is a block flow diagram depicting a method for transmitting anaccess key from a remote server to a contactless device according to anexemplary embodiment.

FIG. 10 is a block flow diagram depicting a method for determining thebalance on a smart card according to an exemplary embodiment.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS Overview

The exemplary embodiments provide methods and systems that enable usersto prevent fraud while utilizing offline processing of purchases with asmart card and a contactless device/card reader. The user taps the smartcard in the radio frequency field of the contactless device. Thecontactless device and the smart card establish a secure communicationchannel and the smart card transmits its card identification informationto the contactless device. The card identification information comprisesthe card account number and the card verification number. If thecontactless device has network access the card identificationinformation is transmitted to the remote system for card verification bycross-referencing the card account number and the card verificationnumber. If the contactless device is without network access, thecontactless device verifies the identity of the smart card. If the smartcard is new or inactive, the contactless device is prompted to registerand activate the card. The activation of a new smart card occurs onlywhen the contactless device has network access. The user may be promptedto create a new remote system account or to associate the smart cardwith an existing remote system account. Alternatively, the smart cardmay be activated without a remote system account. The remote systemgenerates a random card verification number that becomes associated withthe smart card and encoded in the card identification information. Theremote system transmits the initial smart card data to the contactlessdevice, which includes the card verification number, and the contactlessdevice transmits the date to the smart card.

The user may deposit funds onto the smart card using the contactlessdevice. The smart card transmits the transaction history to thecontactless device, which is in turn transmitted to the remote systemand stored in the card account. The remote system and/or contactlessdevice may confirm the identity of the smart card by cross-referencingthe card account number and the card verification number. In anexemplary online transaction, every deposit record is signed by theremote system using an asymmetric signing key before transmitting therecord to the contactless device. A private key (for example, a tellersigning key) is maintained by the remote system and a public key (forexample, a teller access key) is transmitted to the contactless device.Therefore, a contactless device containing the public key can verify theauthenticity of an online transaction record stored on the smart cardusing the public key, but it cannot manipulate an existing transactionrecord or issue a new deposit record without connecting to the server. Amerchant operating the contactless device enters deposit informationonto the contactless device, based on funds provided by a user of thesmart card to the merchant. The contactless device creates and signs adeposit request with the teller access key, which is transmitted to theremote system. The remote system processes the request, verifies theidentity of the smart card using the card verification number, certifiesthe deposit using the teller signing key and calculates a new sum ofdeposits. The remote system then transmits a deposit record to thecontactless device. The contactless device transmits the deposit recordto the smart card, and the secure communication channel is thenterminated.

In an exemplary offline transaction, every withdrawal record is signedby a cashier session key. A session begins when a merchant signs intothe contactless device and ends when the merchant signs out. Eachsession may be associated with a quota, such as a maximum number oftransaction, a maximum time period or a maximum number of dollars. Whenthe quota is reached, the merchant is required to connect to the remotesystem and request a new session access key. A cashier access key may bea symmetric key, which is derived from a master key using a sessionidentification number. The master key is maintained by the remote systemand the cashier access key is transmitted to the contactless device whena new session is begun. The user also may withdraw funds from the smartcard using the contactless device. The smart card transmits the cardidentification information and transaction history to the contactlessdevice. The contactless device confirms the identity of the smart cardby cross-referencing the card account number and the card verificationnumber. The merchant confirms whether the smart card has a sufficientbalance available for a purchase transaction by using the contactlessdevice to read the current sum of deposits and the current sum ofwithdrawals from the monotonic counters resident on the smart card. Thecontactless device compares the sums read from the monotonic counters tothe sums calculated using the transaction history. If these numbersmatch, the contactless device then calculates the smart card balance bysubtracting the sum of withdrawals from the sum of deposits. If thebalance is a number greater than or equal to the current transactioncost, the transaction is authorized. If sufficient balance is available,the contactless device processes a debit transaction to debit thecurrent transaction cost from the current sum of withdrawals. Thecontactless device creates a withdrawal record and then uses the cashieraccess key to sign the record. The contactless device writes the signedwithdrawal record to the smart card and maintains a copy of the signedrecord for later transmission to the remote system. When the transactionrecords, together with the appropriate signatures, are later transmittedto the remote system, the remote system verifies the signature to ensurethe transaction records uploaded are genuine and certifies the recordusing the cashier signing key. The remote system may also calculate thesum of all the transactions transmitted to verify that the quota is notexceeded or synchronize the transactions to identify missing records orerrors.

The functionality of the exemplary embodiments will be explained in moredetail in the following description, read in conjunction with thefigures illustrating the program flow.

System Architecture

Turning now to the drawings, in which like numerals indicate like (butnot necessarily identical) elements throughout the figures, exemplaryembodiments are described in detail.

FIG. 1 is a block diagram depicting a system 100 for processing anoffline purchase initiated by a tap of a smart card 110 with acontactless device 120, comprising a card reader 150, according to anexemplary embodiment. As depicted in FIG. 1, the exemplary operatingenvironment 100 includes a merchant contactless device system 120 and auser smart card system 110 that are configured to communicate with oneanother via one or more secure communication channels 130. The exemplaryoperating environment 100 also includes a remote computer system 160that is configured to communicate with the merchant contactless devicesystem 120 via one or more networks 140.

In exemplary embodiments, the secure communication channel 130 cancomprise communication via a close proximity communication protocol,such as near field communication (NFC), Bluetooth, or Wi-Fi, usingappropriate protocols corresponding to those communication methods. Inan alternative exemplary embodiment, the secure communication channel130 can comprise a cellular network.

In an exemplary embodiment, NFC communication protocols include, but arenot limited to ISO/IEC 14443 type A and/or B technology (hereafter “ISO14443”), MIFARE technology (hereafter “MIFARE”), and/or ISO/IEC 18092technology (hereafter “ISO 18092”). ISO 14443 is a communicationprotocol for contactless devices operating in close proximity with areader. An ISO 14443 communication protocol is utilized for secure cardpayments, including but not limited to credit card payments, debit cardpayments, and other forms of financial card payments. MIFARE is acommunication protocol for contactless devices that comply withproprietary device standards that are based on ISO 14443. A MIFAREprotocol is utilized for stored function transactions, including but notlimited to gift cards, transit cards, tickets, access cards, loyaltycards, and other forms of stored value card transactions. A MIFAREprotocol may also be used for limited value-added services. ISO 18092 isa communication protocol for contactless devices operating at higher bitrates, allowing for richer communication between the devices. An ISO18092 communication protocol is utilized for peer-to-peer communication,value-added services (including, but not limited to, coupons, loyaltycards, check-ins, membership cards, gift cards, and other forms ofvalue-added services), and other forms of richer communication. Anysuitable NFC communication protocol can be used for NFC communicationbetween the smart card 110 and the contactless device 120 to implementthe methods and functionality described herein.

In an exemplary embodiment, the contactless device system 120 can referto a smart device that can communicate via an electronic, magnetic, orradio frequency field between the device 120 and another device, such asa smart card 110. In an exemplary embodiment, the contactless device 120has processing capabilities, such as storage capacity/memory and one ormore applications 122 that can perform a particular function. In anexemplary embodiment, the contactless device 120 contains an operatingsystem (not illustrated) and user interface 121. Exemplary contactlessdevices 120 include smart phones; mobile phones; personal digitalassistants (PDAs); mobile computing devices, such as netbooks, tablets,and iPads; laptops; and other devices, in each case having processingand user interface functionality.

The contactless device 120 also comprises a secure element 126, whichcan exist within a removable smart chip or a secure digital (SD) card orwhich can be embedded within a fixed chip on the device 120. In certainexemplary embodiments, Subscribed Identity Module (SIM) cards may becapable of hosting a secure element 126, for example, an NFC SIM Card.The secure element 126 allows a software application 122 resident on thedevice 120 and accessible by the device user to interact securely withcertain functions within the secure element 126, while protectinginformation stored within the secure element. The secure element 126comprises applications 127 running thereon that perform thefunctionality described herein.

The contactless device system 120 also comprises one or more access keys129. In an exemplary embodiment, the access keys 159 may be defined asonline transaction keys or offline transactions keys. An exemplaryonline transaction key is an asymmetric key, wherein the private key isstored on the remote system 160 and the private key is transmitted tothe contactless device 120. In an alternative exemplary embodiment, theonline transaction key may be a symmetric key. An exemplary offlinetransaction key is a symmetric key used to sign offline transactions. Inan alternative exemplary embodiment, the offline transaction key is anasymmetric key. An offline transaction key is generated by the remotesystem 160 and transmitted to the contactless device 120 for each newsession. Each session key can be used only by one contactless device 120for the duration of a single session (for example, for the period oftime from when the merchant signs onto a new session until the merchantsigns out of the session). In addition, each session key may have amaximum number of transactions allowed per session key or a maximum timeperiod allowed per session key. The session key may become invalid ifthe maximum is reached and the merchant may be required to start a newsession, and thus receive a new session key.

Each session key is specifically provided by the remote system 160 forthe type of session designated by the merchant (for example, fordepositing funds or withdrawing funds onto a smart card 110). The methodof transmitting an access key 129 to a smart card 110 is described inmore detail hereinafter with reference to the methods described in FIG.9. In an exemplary embodiment, the access key 159 is stored in thesecure element 126 during the operation of the session. At thecompletion of each session, the access key 159 is wiped from the memoryof the contactless device system 120.

An exemplary access key 159 is designated as a teller access key or acashier access key. An exemplary teller access key is transmitted to thecontactless device system 120 to assist in depositing funds onto a smartcard 110. The teller access key will allow the merchant to read or writedeposit transaction and to read withdrawal transactions. An exemplarycashier access key is transmitted to the contactless device system 120to assist in withdrawing funds from a smart card 110. The cashier accesskey will allow the merchant to read deposit transaction and to read andwrite withdrawal transactions. In an exemplary embodiment, the accesskeys 159 are specific to each merchant session with the contactlessdevice system 120 and are not readable, known or otherwise accessible toother merchant contactless device systems. Without an access key 159,the contactless device 120 cannot read or write transaction records ontothe smart card 110. In an exemplary embodiment, the access keys 159 willdefine levels of access/permission to read and write data to the smartcard 110.

In an exemplary embodiment, the contactless device 120 transmits adeposit or withdrawal record signed by the access key 159 residing onthe contactless device 120 to the smart card 110. For example, during adeposit transaction, the contactless device 120 transmits a depositrecord signed by the teller access key to the smart card 110 and duringa withdrawal transaction, the contactless device 120 transmits awithdrawal record signed by the cashier access key to the smart card110. In an exemplary embodiment, the remote system 160 maintains arecord of which access key 159 is transmitted to every contactlessdevice system 120. Therefore, the remote system 160 is capable ofdetermining which merchant contactless device 120 signed eachtransaction and during which session the transaction was signed basedupon the deposit/withdrawal records stored in the transaction history onthe smart card 110. An exemplary access key 119 can be used to read andconfirm that the remote system 160 has certified or verified a depositor withdrawal.

The secure element 126 includes components typical of a smart card, suchas crypto processors and random generators. In an exemplary embodiment,the secure element 126 comprises a Smart MX type NFC controller 124 in ahighly secure system on a chip controlled by a smart card operatingsystem, such as a JavaCard Open Platform (JCOP) operating system. Inanother exemplary embodiment, the secure element 126 is configured toinclude a non-EMV type contactless smart card, as an optionalimplementation.

The secure element 126 communicates with the controller 124 and theapplication 122 in the contactless device 120. In an exemplaryembodiment, the secure element 126 is capable of storing encrypted userinformation and only allowing trusted applications to access the storedinformation. The controller 124 interacts with a secure key encryptedapplication 122 for decryption and installation in the secure element126.

In an exemplary embodiment, the controller 124 is a Bluetooth linkcontroller. The Bluetooth link controller may be capable of sending andreceiving data, identifying the smart card 110, performingauthentication and ciphering functions, and directing how thecontactless device 120 will listen for transmissions from the smart card110 or configure the contactless device 120 into various power-savemodes according to the Bluetooth-specified procedures. In anotherexemplary embodiment, the controller 124 is a Wi-Fi controller or an NFCcontroller capable of performing similar functions.

The application 122 is a program, function, routine, applet or similarentity that exists on and performs its operations on a contactlessdevice 120. For example, the application 122 may be one or more of anoffline payment application, a digital wallet application, a couponapplication, a loyalty card application, another value-addedapplication, a user interface application, or other suitable applicationoperating on the contactless device 120. Additionally, the secureelement 126 also may comprise secure contactless software applications,such as an offline payment or other payment applications, secure formsof the applications 122, authentication applications, paymentprovisioning applications, or other suitable application using thesecure functionality of the secure element.

The contactless device 120 communicates with the smart card 110 via anantenna 128. In an exemplary embodiment, once the contactless deviceapplication 122 has been activated and prioritized, the controller 124is notified of the state of readiness of the contactless device 120 fora transaction. The controller 124 outputs through the antenna 128 aradio signal, or listens for radio signals from the smart card 110. Onestablishing a secure communication channel between the contactlessdevice 120 and the smart card 110, the contactless device 120 mayrequest a list of applications 115 available from the smart card 110. Adirectory is first displayed, after which, based on the set priority orthe type of smart card 110, an application 115 and 122 are chosen andinitiated for the transaction.

An exemplary smart card 110 can refer to a smart device that cancommunicate via an electronic, magnetic or radio frequency field betweenthe card 110 and another device, such as a contactless device 120 or acard reader 150. In an exemplary embodiment, the smart card 110 hasprocessing capabilities, such as storage capacity/memory 113 and one ormore applications 115 that can perform a particular function. In anexemplary embodiment, the smart card also has an NFC enabled chip (notillustrated) implemented, either independently or on existingcomponents, within the smart card 110. Exemplary smart cards 110 mayinclude MIFARE cards, stored value memory cards, and other types ofmemory cards.

In an exemplary embodiment, the memory 113 and application 115 may beimplemented in a secure element, as described previously, on the smartcard 110. The smart card 110 also may contain one or more access keys119 that control access to the information contained in the memory 113.For example, security measures can include password keys and logic thatare hard-coded into the smart card 110 by the manufacturer. In anexemplary embodiment, the access keys 119 contained on the smart card110 are also used for mutual authentication between the smart card 110and the contactless device 120. For example, a smart card which does notcontain a correct access key 119 will not be authenticated by thecontactless device 120. As a result, the transaction will be rejected.In an exemplary embodiment, the smart card 110 contains one or more of acashier key, a teller key, and a mint key. As described above, a cashieraccess key is used to change the value of the smart card 110 bywithdrawing funds and a teller access key is used to put value onto thesmart card 110 by depositing funds. An exemplary mint key is used tochange any of the existing keys resident on the smart card 110. In anexemplary embodiment, the mint key is used to setup the keys, reset thecard data and reset the counters. In an exemplary embodiment, the tellerand cashier keys may be rotated. For example, the keys may be rotatedbased on a defined time period, data capacity, or other defined basisfor rotation. The mint key may define the basis for rotating the accesskeys 119. In an exemplary embodiment, the access keys 119 will definelevels of access/permission to read and write data to the smart card110.

In an alternative exemplary embodiment, a symmetric key may be utilizedto encrypt the data on the smart card 110, so that an NFC-enabled devicewithout such a key cannot comprehend the data on the smart card 110. Thekey is shared with the remote system 160, the contactless device 120,and the card reader 150.

In an exemplary embodiment, a monotonic counter 117 may also beimplemented in a secure element on the smart card 110. Counters maystore the number of times a particular event or process has occurred. Anexemplary counter is monotonic and thus, only allows for the values tobe increased or incremented, not decreased. This preventative measureprevents users from saving the current state of a smart card 110, usingthe card and then rolling the card back to the previously saved state,thereby receiving a free transaction. An exemplary embodiment, a sum ofdeposits and a sum of withdrawals are stored in the monotonic counter117. The sum of deposits and sum of withdrawals can be compared to thesaved transaction history on the smart card 110 when a transaction isrequested. Because the sum of deposit and/or sum of withdrawals arestore in the monotonic counter (which can only be incremented, notdecreased), a smart card 110 that has been rolled back to a previousstate can be detected and inactivated. The method of determining the sumof withdrawals and sum of deposits is described in more detailhereinafter with reference to the methods described in FIGS. 2-10.

In an alternative exemplary embodiment, a monotonic counter 117 isincreased during each withdrawal transaction and the total number ofwithdrawal transactions saved in the transaction history is compared tothe number designated by the monotonic counter 117. Likewise, amonotonic counter 117 may be increased during each deposit transactionand the total number of deposit transactions saved in the transactionhistory is compared to the number designated by the monotonic counter117.

As depicted in FIG. 1, the card reader 150 may be a component of thecontactless device 120. For example, in an exemplary embodiment, thecard reader 150 is a contactless device application 122, whereininformation exchanged with the smart card 110 via the securecommunication channel 130 and antenna 128 is processed via theapplication 122.

In an alternative exemplary embodiment, the card reader 150 may be aseparate standalone device that communicates with the smart card 110 viaone or more secure communication channels 130 and with the contactlessdevice 120. As a standalone device, the card reader 150 can refer to adevice that can communicate via an electronic, magnetic, or radiofrequency field between the card reader 150 and another device, such asthe smart card 110 and/or the contactless device 120. In thisembodiment, the card reader 150 passes information between the smartcard 110 and the contactless device 120. Additionally, when implementingthis embodiment, the contactless device 120 may be a computer that doesnot have contactless NFC functionality, such as a desktop computer,server computer, laptop computer, mobile computing device (such as amobile telephone, tablet computer, or smart phone), or other non-NFCenabled device.

In an exemplary embodiment, the card reader 150 has processingcapabilities, such as storage capacity/memory and one or moreapplications 155 that can perform a particular function. In an exemplaryembodiment, the card reader 150 contains an operating system (notillustrated) and user interface (not illustrated).

The card reader 150 is communicatively coupled to the contactless device120 via a direct connection, via one or more secure communicationchannels 130, or via a network 140 (connection not illustrated). Anexemplary card reader 150 may contain an access key, as described above.

As further depicted in FIG. 1, the contactless device 120 may becommunicatively coupled to the remote system 160 via a network 140. Inan alternative exemplary embodiment, the card reader 150 is alsocommunicatively coupled to the remote system 160 via a network 140. Thenetwork 140 comprises a telecommunication means by which network devices(including devices 120, 150, and 160) can exchange data. For example,the network 140 can be implemented as, or may be a part of, a storagearea network (SAN), personal area network (PAN), local area network(LAN), a metropolitan area network (MAN), a wide area network (WAN), awireless local area network (WLAN), a virtual private network (VPN), anintranet, the Internet, Bluetooth, NFC or any other appropriatearchitecture or system that facilitates the communication of signals,data and/or messages (generally referred to as data).

According to an exemplary embodiment, the contactless device 120 mayconnect to network 140 via a wired connection. For example, theconnection may be a wired universal serial bus (USB) or Ethernetconnection. In an alternative exemplary embodiment, the contactlessdevice 120 may connect to the network via a wireless connection. Forexample, the connection may be a Wi-Fi or Bluetooth connection to ahotspot that has a wired/wireless Internet connection (for example,MiFi), or any other wired or wireless connection suitable forcommunicating signals with network 140. In an alternative exemplaryembodiment, the connection may be a cellular network connection.

The exemplary remote system 160 enables storage of smart card 110account information. In an exemplary embodiment, the user (notillustrated) creates a user account with the remote system 160 andregisters a smart card 110. The remote system stores the smart card 110data, including a history of all the card transactions, for example,each deposit of funds and each withdrawal of funds, for each account inthe data storage unit 161. In an exemplary embodiment, the remote system160 analyzes the transaction history to identify missing data orpossible errors.

In an exemplary embodiment, one or more signing keys 167 are utilized toauthenticate and certify data by the remote system 160. For example, thesigning keys 167 may be symmetric or asymmetric keys. In an exemplaryembodiment, the signing keys 167 exist only on the remote system 160 andare not readable or otherwise accessible by the contactless device 120,smart card 110 or card reader 150. An exemplary signing key 167 isdesignated as a teller signing key or a cashier signing key. Anexemplary teller signing key is used to authenticate and certify adepositing funds onto a smart card 110. An exemplary cashier signing keyis used to authenticate and certify a withdrawal of funds from a smartcard 110. In an exemplary embodiment, each deposit and each withdrawaltransaction is certified by a signing key 167 resident on the remotesystem 160. Whenever a merchant reads a smart card 110, it may verifythat the transaction records stored on the card are certified by a validsigning key 167. In an exemplary embodiment, the signing keys 167authorize and certify the transaction records with a digital signaturesigned by an asymmetric key. In an alternative exemplary embodiment, thesigning keys 167 authorize and certify the transaction records with amessage authorization code (MAC) signed by a symmetric key. The methodsof certifying a transaction are described in more detail hereinafterwith reference to the methods described in FIG. 2-10.

Throughout this specification, it should be understood that the terms“data” and “information” are used interchangeably herein to refer totext, images, audio, video, or any other form of information that canexist in a computer-based environment.

The components illustrated in FIG. 1 will be described in further detailhereinafter with reference to the methods depicted in FIGS. 2-7.

System Process

FIG. 2 is a block flow diagram depicting a method for processing adeposit of funds to a smart card 110 via a contactless device 120according to an exemplary embodiment. The method 200 is described withreference to the components illustrated in FIG. 1.

In an exemplary embodiment, a deposit transaction must be authorized bythe remote system 160 and certified by the cashier signing key 167. Thecontactless device 120 has network 140 access, to provide for suchauthorization and certification.

In block 210, the user “taps” the smart card 110 in the proximity of thecontactless device 120. In an exemplary embodiment, the contactlessdevice 120 generates a radio frequency (RF) or other field polling forthe presence of a smart card 110, and the user “taps” the smart card 110by placing the card 110 within the field of the contactless device 120.In an alternative exemplary embodiment, the merchant activates the RFfield or other field to poll for the presence of a smart card 110 usingan application 122 on the contactless device 120. In certain exemplaryembodiments, the systems and methods described in FIGS. 2-3 herein areperformed while the smart card 110 is tapped.

The contactless device 120 detects the smart card 110 and establishes asecure communication channel 130 in block 220. In an exemplaryembodiment, the secure communication channel 130 is an NFC communicationchannel.

In block 230, the contactless device 120 identifies the smart card 110.The method of identifying the smart card 110 is described in more detailhereinafter with reference to the methods described in FIG. 8.

FIG. 8 is a block flow diagram depicting a method for identifying thesmart card 110 according to an exemplary embodiment, as referenced inblock 230 of FIGS. 2 and 5. The method 230 is described with referenceto the components illustrated in FIG. 1.

In block 810, the contactless device 120 requests protocols andcharacteristics from the smart card 110. For example, the contactlessdevice 120 may request the identification of communication protocols(for instance ISO/IEC 14443, MIFARE, and/or ISO/IEC 18092), a list ofapplications 115 available, card identification information (forinstance a card number), and security protocols from the smart card 110.In an exemplary embodiment, the contactless device 120 also requests thecard verification number. In an exemplary embodiment, the contactlessdevice 120 may request verification of the access keys 119 contained onthe smart card 110 for mutual authentication between the smart card 110and the contactless device 120.

In block 820, the smart card 110 transmits the requested protocols andcharacteristics to the contactless device 120. In an exemplaryembodiment, the card verification number is encoded and stored in thememory 113 of the smart card 110 and not visible or otherwise written onthe physical card. The requested information is extracted andtransmitted to the contactless device 120 via the secure communicationchannel 130. In an alternative exemplary embodiment, the smart card 110is swiped in block 220. In this embodiment, the card account number andthe card verification are encoded in the data stored in the magneticstripe of the card and read by the contactless device 120.

In an exemplary embodiment, the data may include the sum of depositsand/or the sum of withdrawal information. In an exemplary embodiment,the contactless device 120 is capable of reading the data contained inthe monotonic counters 117. In an exemplary embodiment, the contactlessdevice 120 uses this data to determine the smart card 110 balance. Themethod of determining the smart card 110 balance is described in moredetail hereinafter with reference to the methods described in FIG. 10.

In block 830, the contactless device 120 receives and processes theprotocols and characteristics transmitted by the smart card 110. In anexemplary embodiment, the data encoding the card verification number maybe decoded by the remote system 160. In this exemplary embodiment, thecontactless device 120 receives the data encoding the card verificationnumber, without reading or decoding the data, and communicates it to theremote system 160 for verification. In an alternative exemplaryembodiment, the contactless device 120 may also be capable of decodingthe card verification number and confirm the identity of the smart card110.

In an alternative exemplary embodiment, the contactless device 120 readsthe information (including the protocols, characteristics and dataencoding the card verification number) directly from the smart card 110.

In block 835, the contactless device 120 verifies the smart card 110access key 119 and the smart card 110 verifies the contactless device120 access key 129. In an exemplary embodiment, the contactless device120 verifies the smart card 110 access key 119 with the session accesskey 129 resident on the contactless device 120. The smart card 110generates a number and transmits the number to the contactless device120. The contactless device 120 decrypts the number using the sessionaccess key 129 and transmits the decrypted number back to the smart card110. In an exemplary embodiment, the smart card 110 verifies thecontactless device 120 session access key 129 with the access key 119resident on the smart card 110. The contactless device 120 generates anumber and transmits the number to the smart card 110. The smart card110 decrypts the number using the access key 119 and transmits thedecrypted number back to the smart card 110. If the number decrypted bythe smart card 110 and the number decrypted by the contactless device120 match, the smart card and contactless devices are verified. In anexemplary embodiment, this verification indicates that the smart card110 and contactless device 120 have the correct permissions.

If the access keys 119 and 129 are not verified, the transaction isrejected, in block 837 and the method ends.

If the access keys 119 and 129 are verified, the method 230 continues toblock 840.

In block 840, the contactless device 120 determines whether it hasnetwork 140 access. For example, if the contactless device 120 hasnetwork 140 access, the method 230 may occur while the contactlessdevice 120 is connected to the remote system 160 and the smart card 110data may be transmitted to the remote system 160. However, if thecontactless device 120 does not have network 140 access and thetransaction is occurring offline, the contactless device 120 may proceedwith the transaction without transmitting the smart card 110 data to theremote system 160.

If the contactless device 120 has network 140 access, the contactlessdevice 120 transmits the smart card 110 data to the remote system 160,in block 845. In an exemplary embodiment, the contactless device 120will have network 140 access for every deposit transaction. In anexemplary embodiment, the contactless device 120 has network access andthe smart card data is automatically transmitted to the remote system160 upon receipt by the contactless device 120. In an alternativeexemplary embodiment, the operator of the contactless device 120initiates the transmission of the smart card data to the remote system160. In an exemplary embodiment, the smart card data comprises the cardaccount number and the card verification number.

In block 850, the remote system 160 receives the smart card data fromthe contactless device. In an exemplary embodiment, the remote system160 maintains a database of all smart cards and an account for eachsmart card 110. Each account for a particular smart card 110 cancomprise one or more of information maintained on the smart card 110,user registration information, transaction history, and otherinformation for maintaining the smart card 110. The remote system 160can store each account record in the database 161. The card accountinformation and the card verification number are among the datacommunicated from the contactless device 120 to the remote system 160and stored in the account.

In block 855, the remote system 160 cross-references the cardverification number and the card account number. In an exemplaryembodiment, the remote system 160 accesses the database of all smartcards and cross-references the numbers. In an alternative exemplaryembodiment, the remote system 160 accesses the smart card 110 accountusing the card account number and looks up the card verification number.In an exemplary embodiment, the remote system 160 is capable ofconfirming the identity of the smart card from the data transmitted. Theremote system 160 cross-references the card account number and the cardverification number. In an exemplary embodiment, the card verificationnumber is a 32-bit number specific to the card account number. The cardverification number may be a randomly generated number written into thecard data when the smart card 110 was created. The card verificationnumber may or may not be a number unique to a single card. For example,more than one smart card may have same card verification number.However, each smart card 110 has only one card verification number andthe correct card verification number must be submitted with the matchingcard account number to confirm a valid transaction.

In an exemplary embodiment, a new or inactivated smart card 110 may notcontain a card verification number. The lack of a verification numbermay indicate to the remote system 160 that the smart card needs to beactivated and the remote system 160 may transmit a message to thecontactless device 120.

In block 860, the remote system 160 determines if the card verificationnumber and card account number belong to the same card, thus confirmingthe identity of the smart card 110.

If the numbers are a match, the remote system 160 transmits verificationof the identity of the smart card 110 to the contactless device, inblock 863.

In block 865, the contactless device 120 receives the verification fromthe remote system 160.

From block 865, the method 230 proceeds to block 240 (FIG. 2), block 525(FIG. 5) or as appropriate.

Returning to block 860 (FIG. 8), if the card verification number andcard account number do not belong to the same smart card 110, theidentity of the smart card 110 is not verified and the method 230proceeds to block 870.

In block 870, the remote system 160 transmits a rejection message to thecontactless device 120 indicating that the identity of the smart card110 could not be verified.

In block 875, the contactless device 120 receives the message from theremote system 160. The contactless device 120 rejects the smart card 110transaction and the secure communication channel 130 is terminated.

Returning to block 840 (FIG. 8), if the contactless device 120 does nothave network 140 access, contactless device 120 may read the cardidentification information, including the card account number and cardverification number, in block 880. The contactless device 120 mayperform the smart card 110 verification without transmitting the data tothe remote system 160 in block 845. In an exemplary embodiment, theremote system 160 periodically communicates current smart card 110information to the contactless device 120. Exemplary smart card 110information comprises smart card account numbers and corresponding cardverification numbers. In an exemplary embodiment, the smart card 110information is stored by the contactless device 120. In an alternativeexemplary embodiment, the smart card 110 information is transmitted inthe session access key 129 transmitted by the remote system 160 to thecontactless device 120 at the beginning of each new session. In anexemplary embodiment, during an offline transaction, the contactlessdevice 120 can cross-reference the smart card 110 account number andverification number from the information transmitted by the remotesystem 160 without network 140 access to the remote system 140.

In block 885, the contactless device 120 determines if the cardverification number and the card account number are a valid match. In anexemplary embodiment, when a withdrawal transaction is performed withoutnetwork 140 access, the contactless device 120 may confirm the identityof the smart card 110 during the transaction process, as described inFIG. 5. In an exemplary embodiment, the contactless device 120 willconfirm that a valid card verification number is encoded by the smartcard 110 without accessing the remote system 160 database. A valid cardverification number may comprise any number that fulfills the perimetersdesignated by the remote system 160. For example, the card verificationnumber may be any 32-bit number that is encoded by the smart card 110 asthe verification number.

If the identity of the smart card 110 is not verified, the transactionis rejected in block 890 and the secure communication channel 130 isterminated.

If the identity of the smart card 110 is verified, the method 230proceeds to block 525 (FIG. 5) or as appropriate.

Returning to FIG. 2, in block 240, the contactless device 120 determineswhether the smart card 110 is a new or existing card. In an exemplaryembodiment, the contactless device 120 is capable of determining whetherthe smart card 110 is a new or existing card from the smart card datatransmitted in block 230. For example, the smart card data may indicatethat the smart card 110 has not yet been activated or that a cardverification number has not yet been assigned. In an alternativeexemplary embodiment, the remote system 160 may respond with informationregarding the smart card 110, such as whether the smart card 110 is anexisting card registered with the remote system 160 or the smart card110 is a new card that has not been registered to a user. In anotheralternative exemplary embodiment, the contactless device 120 maydetermine that the smart card has not yet been activated by the absenceof an access key 119.

If the smart card 110 is not new but is already registered with theremote system 160, the smart card 110 transmits the entire savedtransaction history from its memory 113 to the contactless device 120,in block 250. In an exemplary embodiment, the smart card 110 transmitsall deposit and withdrawal transactions to the contactless device 120.If the amount of the transactions exceeds the storage/memory 113capabilities of the smart card 110, the oldest transactions are droppedfrom the smart card memory 113. In an exemplary embodiment, the smartcard 110 alternatively or additionally transmits the sum of deposits andthe sum of withdrawals for all previous transactions to the contactlessdevice 120.

In an exemplary embodiment, the smart card 110 also transmits the datastored in the monotonic counters 117. The data may include the sum ofdeposits and/or the sum of withdrawal information. In an exemplaryembodiment, the contactless device 120 is capable of reading the datacontained in the monotonic counters 117, but is incapable or writing orotherwise changing this data. In an exemplary embodiment, thecontactless device 120 uses this data to determine the smart card 110balance. The method of determining the smart card 110 balance isdescribed in more detail hereinafter with reference to the methodsdescribed in FIG. 10.

FIG. 10 is a block flow diagram depicting a method for determining thesmart card 110 balance according to an exemplary embodiment, asreferenced in block 255 of FIG. 2. The method 255 is described withreference to the components illustrated in FIG. 1.

In block 1010, the contactless device 120 reads the deposit transactionswritten in the transaction history on the smart card 110. In anexemplary embodiment, the contactless device 120 uses the teller accesskey 129 to read the current deposit transactions. The contactless device120 then calculates the sum of deposits.

In an exemplary embodiment, a deposit transaction is recorded as:

D1: sum of deposits before this transaction

D2: sum of deposits after this transaction

Notation: +,D1→D2

In block 1015, the contactless device 120 reads the sum of deposits fromthe monotonic counter 117.

In block 1017, the contactless device 120 compares the sum of depositscalculated in block 1010 to the sum of deposits read from the monotoniccounter 117 in block 1015.

If these numbers do not match, a smart card 110 error is indicated inblock 1019 and the method 255 proceeds to block 290 in FIG. 2.

If these numbers match, the method 255 proceeds to block 1020 in FIG.10.

In block 1020, the contactless device 120 reads the withdrawaltransactions written in the transaction history on the smart card 110.In an exemplary embodiment, the contactless device 120 uses the tellerkey 129 to read the current withdrawal transactions. The contactlessdevice 120 then calculates the sum of withdrawals.

In an exemplary embodiment, a withdrawal transaction is recorded as:

W1: sum of withdrawals before this transaction

W2: sum of withdrawals after this transaction

Notation: −,W1−W2

In block 1025, the contactless device 120 reads the sum of withdrawalsfrom the monotonic counter 117.

In block 1027, the contactless device 120 compares the sum ofwithdrawals calculated in block 1020 to the sum of withdrawals read fromthe monotonic counter 117 in block 1025.

If these numbers do not match, a smart card 110 error is indicated inblock 1029 and the method 255 proceeds to block 290 in FIG. 2.

If these numbers match, the method 255 proceeds to block 260 in FIG. 2.

Returning to FIG. 2, in block 260, the contactless device 120 transmitsthe smart card 110 transaction history to the remote system 160. In anexemplary embodiment, the deposit transaction occurs when thecontactless device 120 has network 140 access, allowing for simultaneoustransmission of the smart card 110 transaction history to the remotesystem 160. In an alternative embodiment, the smart card 110 transactionhistory is stored on the contactless device 120 and transmitted to theremote system 160 at a later time after the completion of the deposit offunds via a wireless or wired network connection 140.

In an exemplary embodiment, the card identification information istransmitted to the remote system 160 with the transaction history. Thecard identification information comprises the card account number andthe card verification number. The transmission of the cardidentification information enables the remote system 160 to associatethe transaction history with the correct smart card 110 account and toconfirm the identity of the smart card 110. The methods for confirmingthe identity of the smart card 110 are described above with reference tomethod 230 (FIG. 8).

After the smart card 110 transactions are transmitted to the remotesystem 160, the remote system 160 analyzes and synchronizes thetransactions, in block 270. In an exemplary embodiment, block 270 occursimmediately after the transmission of the transactions to the remotesystem 160. In an alternative exemplary embodiment, block 270 occurs ata later time or at a set durational time period (for example, every 24hours). The method 270 of synchronizing smart card 110 transactions onthe remote system 160 is described in more detail hereinafter withreference to the methods described in FIG. 7.

The method 200 then proceeds to block 280 in FIG. 2.

Returning to block 240, if the smart card 110 is new, the new card isactivated and/or a new account is created at block 245. The method forcreating a new smart card account is described in more detailhereinafter with reference to the methods described in FIGS. 4 a and 4b.

If the smart card 110 is new, a new account is created at block 245. Inan exemplary embodiment, the user creates a new user account or logsinto an existing account via the remote system 160, with which the smartcard 110 will be associated. The method 245 a depicted in FIG. 4 adescribes associating a new smart card with a new or existing useraccount at the remote system 160.

In an alternative exemplary embodiment, the user activates a new smartcard 110 without creating or logging into a remote system 160 account.In this case, only a smart card account is created at the remote system160. The method for activating a new smart card 110 without a useraccount is described in more detail hereinafter with reference to themethods described in FIG. 4 b.

FIG. 4 a is a block flow diagram depicting a method 245 a for creating aremote system 160 user account for association with a smart card 110according to an exemplary embodiment, as referenced in block 245 of FIG.2. The method 245 a is described with reference to the componentsillustrated in FIG. 1.

Referring to FIG. 4 a, in block 410, the contactless device 120determines whether the user has a remote system 160 account.

If the user has a remote system 160 account, the user signs into theaccount via the contactless device 120, in block 420. In an exemplaryembodiment, the user utilizes the user interface 121 of the contactlessdevice 120 to communicate with the remote system 160 to access theuser's account. For example, the user may input a personalidentification number or other identifying and/or authenticationinformation to identify and access the user's account at the remotesystem 160.

If the user does not have a remote system 160 account, the user maycreate a new account via the contactless device 120, in block 430. In anexemplary embodiment, the user utilizes the user interface 121 of thecontactless device 120 to communicate with the remote system 160 tocreate an account. The user may be prompted to enter identifyinginformation, for example, user name, phone number, e-mail address,personal identification number or other password, or other suitableinformation to create the user account.

In block 440, the contactless device 120 transmits the user accountinformation to the remote system 160. Portions or all of block 440 mayoccur simultaneously with performance of blocks 420 or 430. In anexemplary embodiment, the contactless device 120 has network 140 accessand transmits the user account information using a wireless connection.In an alternative exemplary embodiment, the contactless device 120 isconnectively coupled via a wired connection to a computer that accessesthe remote system 160.

In block 450, the contactless device 120 transmits a request to theremote system 160 to register a new smart card 110 with the user'saccount. In an exemplary embodiment, the request includes information toidentify the card, such as a card number or other identifyinginformation stored on the smart card 110. The request also may includethe date the card was registered (for example, a time stamp), where thecard was registered (for example, information identifying the merchantthat registered the card), user information, or other suitableinformation.

The remote system 160 associates the smart card 110 with the user'saccount and activates the smart card 110, in block 460. In an exemplaryembodiment, the remote system 160 notes the information included in therequest in the user account to allow the user to view the smart card 110transaction history, sum of withdrawals, and sum of deposits by loggingonto the user's remote system 160 account.

In block 465, the remote system 160 generates a card verification numberand assigns this number to the smart card 110. The card verificationnumber is a number specific to the smart card account number. In anexemplary embodiment, the card verification number is a 32-bit numberrandomly generated by the remote system 160. The card verificationnumber is encoded in data that will be written on the smart card 110 andused to identify the smart card 110 to the remote system 160. In anexemplary embodiment, the remote system 160 also generates one or moreaccess keys 119 for the smart card 110.

In block 470, the remote system 160 transmits the initial smart card 110data to the contactless device 120. In an exemplary embodiment, theinitial data comprises activation data for the smart card 110, whichallows the smart card 110 to be used for purchase and/or deposittransactions. In an exemplary embodiment, the activation data alsocomprises the card verification number. In an exemplary embodiment, theactivation data includes one or more access keys 119.

In block 480, the contactless device 120 transmits the activation datato the smart card 110 and the activation data is stored in the memory113 of the smart card 110. In an exemplary embodiment, the activationdata is not stored in the contactless device. The smart card data,including the activation data is wiped from the contactless device 120when the secure communication channel 130 is terminated.

From block 480, the method 245 a proceeds to block 280 (FIG. 2) andfunds are deposited onto the smart card 110.

FIG. 4 b is a block flow diagram depicting a method 245 b for activatinga new smart card 110 without associating the smart card 110 with aremote system 160 user account according to an exemplary embodiment, asreferenced in block 245 of FIG. 2. The method 245 b is described withreference to the components illustrated in FIG. 1.

Blocks 450, 465, 470, and 480 depicted in FIG. 4 b are similar to blocks450, 465, 470, and 480 depicted in FIG. 4 a.

Referring back to FIG. 2, the contactless device 120 detects the smartcard 110 and establishes a secure communication channel 130 in block220, and the contactless device 120 identifies the smart card 110, inblock 230. The contactless device 120 then determines whether the smartcard 110 is a new or existing card, in block 240. In an exemplaryembodiment, the user activates a new smart card 110 without creating orlogging into a remote system 160 account.

In block 450, the contactless device 120 transmits a request to theremote system 160 to register a new smart card 110.

The remote system 160 activates the smart card 110, in block 460. In anexemplary embodiment, the remote system 160 logs the smart cardactivation information in a database. The smart card activationinformation may comprise one or more of the following: card accountnumber, date of activation, location of activation and merchantidentification. In an alternative exemplary embodiment, the remotesystem 160 assigns a personal identification number (PIN) or otherauthentication code to the smart card 110.

In block 465, the remote system 160 generates a card verification numberand assigns this number to the smart card 110. The card verificationnumber is a number specific to the smart card account number. In anexemplary embodiment, the card verification number is a 32-bit numberrandomly generated by the remote system 160. The card verificationnumber is encoded in data that will be written on the smart card 110 andused to identify the smart card 110 to the remote system 160. In anexemplary embodiment, the remote system 160 also generates one or moreaccess keys 119 for the smart card 110.

In block 470, the remote system 160 transmits the initial smart card 110data to the contactless device 120. In an exemplary embodiment, theinitial data includes the activation data for the smart card 110 and mayinclude the assigned PIN.

The contactless device 120 transmits the activation data to the smartcard, in block 480, which stores the activation data in the memory 113.

From block 480, the method 245 b proceeds to block 280 (FIG. 2) andfunds are deposited onto the smart card 110.

Returning to FIG. 2, in block 280, the contactless device 120 depositsfunds onto the smart card 110. The method of depositing funds isdescribed in more detail hereinafter with reference to the methodsdescribed in FIG. 3.

The method 200 then proceeds to block 290 in which the securecommunication channel 130 between the smart card 110 and the contactlessdevice 120 is terminated. In an exemplary embodiment, the smart cardactivation data from block 245, if applicable, is wiped from thecontactless device 120 upon termination of the secure communicationchannel 130 between the smart card 110 and the contactless device. In analternative exemplary embodiment, all smart card data is wiped from thecontactless device 120 upon termination of the secure communicationchannel 130 between the smart card 110 and the contactless device.

FIG. 9 is a block flow diagram depicting a method for transmitting anaccess key 129 to a contactless device 120 according to an exemplaryembodiment. The method 900 is described with reference to the componentsillustrated in FIG. 1.

In an exemplary embodiment, an access key 129 resident on thecontactless device 120 and/or the card reader 150 is used in combinationwith one or more monotonic counter 117 resident on the smart card 110 toallow for the verification of a transaction while the payment system 100is operating offline. An exemplary payment system 100 allows for theverification of the transaction by the payment device, i.e., thecontactless device 120 and/or card reader 150, instead of by the remotesystem 160 at the time of the transaction.

In block 910, the merchant starts a new cashier or teller session. Anexemplary cashier session involves the designation of the contactlessdevice 120 and/or card reader 150 as devices to transact a withdrawal offunds from the smart card 110. An exemplary teller session involves thedesignation of the contactless device 120 and/or card reader 150 asdevices to transact a deposit of funds onto the smart card 110.

In an exemplary embodiment, the merchant is required to start a newsession when logging onto the contactless device 120. In an alternativeexemplary embodiment, the merchant is required to start a new sessionwhen a maximum number of transactions or time limit has been reachedsince the previous session was started.

In an exemplary embodiment, the merchant enters the session informationwith the user interface 121 of the contactless device. In an exemplaryembodiment, a pop-up window appears after the contactless device 120 isstarted. In an alternative exemplary embodiment, the merchant accessesan application 122 to start a new session.

In block 920, the contactless device 120 determines whether it hasnetwork 140 access. In an exemplary embodiment, a new session must beauthorized by the remote system 160 and results in the transmission ofan access key 129 to the contactless device 120 and/or card reader 150.The contactless device 120 has network 140 access, to provide for suchauthorization and transmission.

If the contactless device 120 is without network 140 access, the newsession is rejected, in block 925 and the method 900 ends.

If the contactless device 120 has network 140 access, the method 900proceeds to block 930.

In block 930, a communication channel is established between the remotesystem 160 and the contactless device 120.

If the contactless device 120 has not had network 140 access andestablished a communication channel with the remote system 160 sinceperforming one or more withdrawal transactions with a smart card 110,the method 900 proceeds to blocks 940, 950 and 270. The methods forwithdrawing funds from a smart card 110 are described in more detailhereinafter with reference to the methods described in FIGS. 5-8.

In block 940, the contactless device 120 transmits any saved smart card110 transaction histories and withdrawal records to the remote system160. In an exemplary embodiment, the contactless device 120 alsotransmits the card identification information to the remote system 160.

In block 950, the remote system 160 certifies the withdrawal recordstransmitted by the contactless device 120. In an exemplary embodiment,the remote system 160 certifies the withdrawal records using the cashiersigning key 167 resident on the remote system 160. The cashier signingkey verifies the session information contained in withdrawal record assigned by cashier access key 129 resident on the contactless device 120at the time the withdrawal record was created. In an exemplaryembodiment, the cashier signing key 167 is utilized to authenticate andcertify data contained in the withdrawal record by the remote system160. Once the cashier signing key 167 certifies the withdrawal record, anotation is made onto the record for future access/reading by acontactless device 120 or card reader 150 with a valid access key 129 or159.

After the smart card 110 transactions are transmitted to the remotesystem 160, the remote system 160 analyzes and synchronizes thetransactions, in block 270, which is similar to the block 270 referencedin FIG. 2. In an exemplary embodiment, this action occurs in real-timewith (in other words, immediately after) the transmission of thetransactions to the remote system 160. In an alternative exemplaryembodiment, this action occurs at a later time or at a set durationaltime period (for example, once every 24 hours). The method 270 ofsynchronizing smart card 110 transactions on the remote system 160 isdescribed in more detail hereinafter with reference to the methodsdescribed in FIG. 7.

In an exemplary embodiment, a transaction made by mistake, may bereverted by a merchant. The merchant sends the original transactionidentification to the remote system 160 and requests reversion of thetransaction. In an exemplary embodiment, the remote system 160 creates anew transaction for the same amount, but as an opposite type oftransaction (for example, to revert a withdrawal, the transaction typewould be a deposit). The original transaction is still maintained in thetransaction history, but the smart card 110 balance is corrected thenext time the smart card is connected to a contactless device 120 withnetwork 140 access to the remote system 160.

If the no withdrawal transactions have occurred since the last sessionwas started by the contactless device 120, the method 900 proceedsdirectly to block 960

In block 960, the remote system 160 authenticates the contactless device120 and transmits an access key 129 for the new session. In an exemplaryembodiment, the merchant designates whether the contactless device 120will be used for deposit or withdrawal transactions by entering thecorrect session designation into the user interface 121 on thecontactless device 120. In an alternative exemplary embodiment, themerchant designates the contactless device 120 as performing both typesof transactions. In an additional alternative exemplary embodiment, themerchant does not designate a type of session and the contactless device120 is designated for a particular session type or both types ofsessions by the remote system 160.

In an exemplary embodiment, the appropriate session access key 129 istransmitted to the contactless device 120 by the remote system 160. Theremote system 160 maintains a log of which session access key 129 istransmitted to each contactless device 120. In an exemplary embodiment,the log contains a list of each session access key 129 transmitted tothe contactless device 120 over a period of time. The remote system 160can access the log to cross-reference the deposit/withdrawal records anddetermine which contactless device 120 created each record. In anexemplary embodiment, this may also allow the remote system 160 todetermine the date, time, location, and/or merchant name that createdthe record.

In block 970, the communication channel between the contactless device120 and the remote system 160 is terminated. In an exemplary embodiment,a contactless device 120 that is designated for deposit transactions andhas received a teller session access key 129 will remain connected tothe remote system 160 for the duration of the session. Because deposittransactions require network access, the contactless device 120 will notterminate the communication channel. Upon termination of thecommunication channel, the session is ended and a new session key isrequired to conduct additional transactions. In an alternative exemplaryembodiment, the contactless device 120 may terminate the communicationchannel with the remote system 160 and re-establish a connection priorto conducting a deposit transaction without requiring a new session key.

In an exemplary embodiment, a contactless device 120 that is designatedfor withdrawal transactions and has received a cashier session accesskey 129 may terminate the communication channel at any time during thesession. Because withdrawal transactions do not require network access,the contactless device 120 may terminate the communication channel atany time without requiring a new session key to conduct the withdrawaltransactions.

In an exemplary embodiment, the session access key 129 transmitted tothe contactless device 120 is used until the merchant logs out of thedevice or ends the session. In an alternative exemplary embodiment, thesession access key 129 has a defined duration, geographical perimeter,and/or maximum number of transactions quota that may also terminate thesession key.

In block 980, the merchant logs out of the contactless device 120, endsthe session, or otherwise terminates the session access key 129. In anexemplary embodiment, one or more transactions may occur, as describedin more detail in this specification, with reference to the methodsdescribed herein before the session is terminated.

In block 990, the session access key 129 is removed from the contactlessdevice 120. In an exemplary embodiment, the session access key 129 iswiped from the contactless device 120 memory when the session isterminated. In an exemplary embodiment, the session access key is notwritten to the device. Instead, the device is briefly stored in thememory of the device 120 and is removed upon termination of the sessionto prevent a malicious actor from reading the access key data is thecontactless device 120 is compromised or not running.

FIG. 3 is a block flow diagram depicting a method for depositing fundsto a smart card 110 via a contactless device 120 according to anexemplary embodiment, as referenced in block 280 of FIG. 2. The method280 is described with reference to the components illustrated in FIG. 1.

In block 310, the user pays the merchant for the deposit of funds. In anexemplary embodiment, the payment is a cash payment. In an alternativeexemplary embodiment, the payment is a credit card payment or otherelectronic payment. In this embodiment, payment may be made using acontactless tap of the credit card to the contactless device or byswiping the credit card or other card with a credit card reader.

The merchant enters the deposit information into the contactless device120, in block 320. In an exemplary embodiment, the merchant enters thedeposit information with the user interface 121 of the contactlessdevice. In an exemplary embodiment, a pop-up window appears after thesmart card 110 transaction history is transmitted to the remote system160. In an alternative exemplary embodiment, the merchant accesses anapplication 122 to enter the deposit information.

In block 325, the contactless device creates a deposit request and signsthe request with the teller access key 129. In an exemplary embodiment,the teller access key 129 was transmitted to the contactless device 120prior to the start of a new session, as described above with referenceto FIG. 9. In an exemplary embodiment, a signature by the teller accesskey 129 identifies the merchant, contactless device 120, date, timeand/or location where the deposit request was created. Because of theaccess/permission limitations of the teller access key 129, thecontactless device 120 cannot write deposit data to the smart card 110.Instead, the contactless device 120 creates a deposit request that mustbe certified by the remote system 160 before the deposit of funds areavailable for use by the smart card 110. In an alternative exemplaryembodiment, the deposit request is maintained in the transaction historyof smart card 110 and may be accessed/read by a contactless device 120during future transactions.

In block 330, the contactless device transmits a deposit request to theremote system 160 via a network 140. In an exemplary embodiment, thedeposit request comprises the deposit amount, smart card identificationinformation, a timestamp, and the merchant identification. In anexemplary embodiment, the smart card identification information includesthe card account number and the card verification number. In anexemplary embodiment, the card identification information is encoded inthe smart card data transmitted to or read by the contactless device 120in block 230. In an exemplary embodiment, the deposit request alsoincludes the teller access key 129 signature, which is readable by theremote system 160 and may denote the date, time, location, merchant nameand/or contactless device 120 that created the deposit request.

In block 335, the remote system 160 verifies the identity of the smartcard. In an exemplary embodiment, the remote system 160 is capable ofidentifying the smart card 110 from the data transmitted in the depositrequest. The remote system 160 cross-references the card account numberand the card verification number to confirm the correct cardverification number is encoded by in the card identification data. In analternative exemplary embodiment, the remote system 160 maintainsnetwork 140 access to the contactless device 120 and has alreadyconfirmed the identity of the smart card 110 in block 230 (FIG. 2).

If the identity of the smart card 110 is not verified, the transactionis rejected in block 337 and the method 280 ends.

If the identity of the smart card 110 is verified, the method 280proceeds to block 340. In block 340, the remote system 160 updates theaccount associated with the smart card 110 to include the deposit offunds and calculates a new sum of deposits for the smart card 110. Inthis regard and as described herein with reference to the records of thesmart card 110 maintained by the remote system 160, the remote system160 can maintain an account for each smart card 110. Each account for aparticular smart card 110 can comprise one or more of informationmaintained on the smart card 110, user registration information,transaction history, and other information for maintaining the smartcard 110. The remote system 160 can store each account record in thedatabase 161.

In block 350, the remote system 160 authorizes and certifies the depositusing the teller signing key 167 and transmits the deposit record to thecontactless device 120. In an exemplary embodiment, the remote system160 reviews the signed deposit request and authorizes the teller accesskey 129 signature. The remote system 160 accesses a master key toconfirm that authenticity of the teller access key 129 signature. In analternative exemplary embodiment, the remote systems 160 may reviewadditional details, such as the number of transactions performed duringthe session, any geographic location restraints, any restrictions onsize or amount of deposit allowed, and/or any additional possiblerestraints placed on the teller access key 129 to confirm the key isactive.

In block 360, the contactless device 120 transmits the deposit record tothe smart card 110. In an exemplary embodiment, the deposit recordcomprises the new sum of deposits, the card identification, a timestamp, a merchant identification, a signature by the teller access key129 and certification by the teller signing key 167. In an exemplaryembodiment, the contactless device 120 writes the certified depositrecord to the smart card 110 using the teller access key 129.

From block 360, the method 280 proceeds to block 290 (FIG. 2).

In an alternative embodiment, the user may deposit funds to the remotesystem 160 using a computer (not illustrated) and network 140. In thisembodiment, the user makes a payment of funds to the remote system 160,and the remote system 160 associates the funds with the accountcorresponding to the particular smart card 110 in the possession of theuser, based on identification information of the smart card 110. Theuser can deposit funds to the remote system 160 using any electronicpayment method accepted by the remote system 160 and available to theuser via the computer operated by the user. The funds are not stored onthe smart card 110 until the user taps the smart card 110 with acontactless device 120, where the contactless device 120 hascommunication access with the remote system 160 via the network 140.Blocks 310-340 may be omitted from the method 280, and the funds may bedeposited on the smart card 110 by following blocks 350-360 uponidentification of the smart card 110 to the remote system 160 by thecontactless device 120. For example, after the transaction history iscommunicated to the remote system 160 at block 260, the remote system160 confirms the identity of the smart card 110 using the card accountnumber and card verification number and then transmits a deposit recordto the contactless device 120 at block 350.

FIG. 5 is a block flow diagram depicting a method 500 for processing awithdrawal of funds from a smart card 110 via a contactless device 120according to an exemplary embodiment. The method 500 is described withreference to the components illustrated in FIG. 1.

In an exemplary embodiment, a withdrawal transaction does not requireremote system 160 authorization. The contactless device 120 may or maynot have network 140 access at the time of the transaction.

In block 510, the user “taps” the smart card 110 in the proximity of thecontactless device 120. In an exemplary embodiment, the card reader 150that reads information from the smart card 110 is a part of thecontactless device 120. In an alternative exemplary embodiment, the cardreader 150 is a separate stand-alone device in communication with acomputer, such as the contactless device 120.

In an exemplary embodiment, the contactless device 120 generates a radiofrequency (RF) or other field polling for the presence of a smart card110, and the user “taps” the smart card 110 by placing the card 110within the field of the contactless device 120. In an alternativeexemplary embodiment, the merchant activates the RF field or other fieldto poll for the presence of a smart card 110 using an application 155 onthe card reader 150. In certain exemplary embodiments, the systems andmethods described in FIGS. 5-6 herein are performed while the smart card110 is tapped.

The contactless device 120 detects the smart card 110 and establishes asecure communication channel 130 in block 515. In an exemplaryembodiment, the secure communication channel 130 is an NFC communicationchannel.

The contactless device 120 identifies the smart card 110, in block 270,which is similar to the block 230 referenced in FIGS. 2 and 8.

If the identity of the smart card 110 is not verified, the transactionis rejected and the method 500 ends.

If the identity of the smart card 110 is verified, the method 500proceeds to block 525 (FIG. 5).

Returning to FIG. 5, in block 525, the smart card 110 transmits theentire saved transaction history from its memory 113 to the contactlessdevice 120. In an exemplary embodiment, the smart card 110 transmits alldeposit and withdrawal transactions to the contactless device 120. Ifthe amount of the transactions exceeds the storage/memory 113capabilities of the smart card 110, the oldest transactions are droppedfrom the smart card memory 113. In an exemplary embodiment, the smartcard 110 alternatively or additionally transmits the sum of deposits andthe sum of withdrawals for all previous transactions to the contactlessdevice 120. In an alternative exemplary embodiment, the smart card 110transmits the last deposit transaction and the entire saved withdrawaltransaction history from its memory 113 to the contactless device 120.If the amount of withdrawals exceeds the storage/memory 113 capabilityof the smart card 110, the oldest transactions are dropped from thesmart card memory 113. In an exemplary embodiment, the transmission ofthe withdrawal history includes the last several withdrawal transactionsto ensure if a particular contactless device 120 doesn't come backonline its transactions still get transmitted to the remote system 160.

In block 530, the contactless device 120 determines whether the smartcard 110 has a sufficient balance for the transactions. The method ofdetermining the balance of funds on a smart card 110 is described inmore detail hereinafter with reference to the methods described in FIG.6.

FIG. 6 is a block flow diagram depicting a method 530 for determiningwhether a smart card 110 has a sufficient balance of funds for awithdrawal transaction according to an exemplary embodiment. The method530 is described with reference to the components illustrated in FIG. 1.

In an exemplary embodiment, determining the smart card 110 balance willrequire the transmission of the entire transaction history in block 525(FIG. 5) and the transmission of the monotonic counter 117 in block 820(FIG. 8). In an alternative exemplary embodiment, it may be difficult todetermine the smart card 110 balance using the remote system 160records, since a withdrawal may or may not occur when the contactlessdevice 120 has network access to the remote system 160. Therefore, thesum of deposits and sum of withdrawals will be calculated and saved onthe smart card 110 may be at least a part of the transaction historystored on the smart card 110.

In block 610, the contactless device 120 reads the current sum ofdeposits from the smart card 110. In an exemplary embodiment, thecontactless device 120 contains the entire transaction historytransmitted from the smart card 110, at block 525 (FIG. 5) andcalculates the sum of deposits using the transaction history. In analternative exemplary embodiment, the transaction history includes acurrent sum of deposits. In this embodiment, the contactless device 120reviews the current sum of deposits entry from the transaction history.

In block 615, the contactless device 120 reads the monotonic counter 117and compares this to the sum of deposits calculated in block 610. In anexemplary embodiment, the monotonic counter 117 contains the sum ofdeposits. The contactless device 120 is capable of reading the datacontained in the monotonic counters 117, but is incapable or writing orotherwise changing this data. Because the sum of deposit is store in themonotonic counter (which can only be incremented, not decreased), asmart card 110 that has been rolled back to a previous state can bedetected and inactivated.

In block 617, the sum of deposits calculated in block 610 and the sum ofdeposits read from the monotonic counter 117 in block 615 are compared.In an alternative exemplary embodiment, a monotonic counter 117 isincreased during each deposit transaction and the total number ofdeposit transactions saved in the transaction history is compared to thenumber designated by the monotonic counter 117.

If the number do not match, an error is indicated in block 619 and themethod 530 proceeds to block 575 in FIG. 5.

If the numbers do match, the method 530 proceeds to block 620.

In block 620, the contactless device 120 reads the current sum ofwithdrawals from the smart card 110. In an exemplary embodiment, thecontactless device 120 contains the entire transaction historytransmitted from the smart card 110, at block 525 (FIG. 5) andcalculates the sum of withdrawals using the transaction history. In analternative exemplary embodiment, the transaction history includes thesum of withdrawals. In this embodiment, the contactless device 120reviews the current sum of withdrawals from the transaction history.

In block 625, the contactless device 120 reads the monotonic counter 117and compares this to the sum of withdrawals calculated in block 620. Inan exemplary embodiment, the monotonic counter 117 contains the sum ofwithdrawals. The contactless device 120 is capable of reading the datacontained in the monotonic counters 117, but is incapable or writing orotherwise changing this data. Because the sum of withdrawals is store inthe monotonic counter (which can only be incremented, not decreased), asmart card 110 that has been rolled back to a previous state can bedetected and inactivated.

In block 627, the sum of withdrawals calculated in block 620 and the sumof withdrawals read from the monotonic counter 117 in block 625 arecompared. In an alternative exemplary embodiment, a monotonic counter117 is increased during each withdrawal transaction and the total numberof withdrawal transactions saved in the transaction history is comparedto the number designated by the monotonic counter 117.

In an exemplary embodiment, the remote system 160 will have the currentsum of deposits, since these transactions are completed while thecontactless device 120 has network 140 access to the remote system 160.The remote system 160 may not have the current sum of withdrawals, sincethe contactless device 120 may or may not have network 140 access to theremote system 160 at the time of the transaction, but the remote system160 will have the sum of withdrawals at the time of the lastsynchronization. The contactless device 120 reads the current sum ofwithdrawals by reading the last withdrawal transaction from the smartcard 110 and the current sum of deposits by reading the last deposittransaction from the smart card 110.

If the number do not match, an error is indicated in block 626 and themethod 530 proceeds to block 575 in FIG. 5.

If the numbers do match, the method 530 proceeds to block 630.

In block 630, the contactless device 120 calculates the current smartcard 110 balance. In an exemplary embodiment, the balance is calculatedby subtracting the sum of withdrawals from the sum of deposits. In anexemplary embodiment, the contactless device 120 can calculate the lowerboundary of the card balance. For example:Balance≧last known sum of deposits−last known sum of withdrawals

For example, using the following transaction history:

A new card is created with zero balance +, 0→0 −, 0→0 Deposit 20 +, 0→20Withdraw 4 −, 0→4 Withdraw 8  −4→12 Deposit 10 +20→30 Withdraw 7 −,12→19 Withdraw 2 −, 19→21

-   -   the current card balance can be calculated using the last        deposit and withdrawal transactions:    -   +,20→30    -   −,19→21    -   Balance=30−21=9

In block 640, the contactless device 120 determines whether the smartcard 110 balance is a number greater than or equal to the currenttransaction cost. In an exemplary embodiment, the smart card 110 balancemay not be a negative number (in other words, the smart card 110 may notbecome overdrawn).

In an alternative exemplary embodiment, the smart card 110 calculatesand stores a balance in the memory 113 after each transaction. In yetanother exemplary embodiment, the smart card 110 stores a running listof all transactions and the balance is calculated by adding/subtractingeach transaction as appropriate.

From block 640, the method 530 proceeds to block 540 or block 535 (FIG.5).

Returning to FIG. 5, if the contactless device 120 determines in block530 that the smart card 110 does not have a sufficient balance for thetransaction, the transaction is rejected in block 535, and the securecommunication channel 130 is terminated.

If the contactless device 120 determines in block 530 that the smartcard 110 has a sufficient balance for the transaction, the contactlessdevice 120, the method proceeds to block 537.

In block 537, the contactless device creates a withdrawal record andsigns the record with the cashier access key 129. In an exemplaryembodiment, the cashier access key 129 was transmitted to thecontactless device 120 prior to the start of a new session, as describedabove with reference to FIG. 9. In an exemplary embodiment, a signatureby the cashier access key 129 identifies the merchant, contactlessdevice 120, date, time and/or location where the withdrawal record wascreated. Because of the access/permission limitations of the cashieraccess key 129, the withdrawal record must be certified by the remotesystem 160. In an exemplary embodiment, the withdrawal record ismaintained in the transaction history of smart card 110 and may beaccessed/read by a contactless device 120 during future transactions.

In block 540, the contactless device 120 transmits the signed withdrawalrecord to the smart card 110. In an exemplary embodiment, thecontactless device 120 writes the withdrawal record to the smart card110 using the cashier access key 129. In an exemplary embodiment, thecontactless device 120 writes a new transaction record to the smart card110 illustrating the recent withdrawal transaction. The withdrawaltransaction record comprises the transaction amount and a new sum ofwithdrawals as calculated by the contactless device 120. In an exemplaryembodiment, the contactless device 120 creates a new withdrawal recordand adds the record to the transaction history previously transmittedfrom the smart card 110 at block 525. In an exemplary embodiment, thewithdrawal record also can comprise the smart card identification, atime stamp, the merchant identification, the amount of the withdrawal,the cashier access key 129 signature and other suitable information. Inan exemplary embodiment, the smart card identification can comprise thecard account number and the card verification number.

In an exemplary embodiment, the contactless device 120 increments themonotonic counter 117 resident on the smart card 110. In an exemplaryembodiment, the session access key 129 resident on the contactlessdevice 120 is utilized to increment the monotonic counter 117. In anexemplary embodiment, the monotonic counter 117 may be incremented bythe amount of the withdrawal transaction. In an alternative exemplaryembodiment, the monotonic counter 117 may be incremented by a fixednumber representing the withdrawal transaction. For example, for eachwithdrawal transaction, the monotonic counter 117 may be incremented byone. In an exemplary embodiment, the monotonic counter 117 is capableonly of being increased, not decreased.

In an exemplary embodiment, a different contactless device 120 cannotverify a withdrawal record signed by another contactless device 120.Each cashier access key 129 is unique to a particular contactless device120 and not capable of being read by or verified by a differentcontactless device 120. Therefore, certification by the cashier signingkey 167 resident only on the remote system 160 is required to verify awithdrawal transaction.

From block 540, the method 500 proceeds to block 545. In block 545, thecontactless device 120 indicates that the transaction was successful,and the secure communication channel 130 is terminated, in block 550.

In block 560, the contactless device 120 determines whether it hasnetwork 140 access to the remote system 160. If the contactless device120 does not have network 140 access, the contactless device 120 storesthe smart card 110 identification information and transaction history(including the newly-added record) until network 140 access isavailable.

If the contactless device 120 has network 140 access, the contactlessdevice 120 establishes a communication channel with the remote system160, in block 565.

In block 570, the contactless device 120 transmits the cardidentification information, any signed withdrawal records and thetransaction history to the remote system 160. In an exemplaryembodiment, the withdrawal transaction occurs when the contactlessdevice 120 has network 140 access, allowing for simultaneoustransmission of the smart card 110 transaction history to the remotesystem 160. In this embodiment, the remote system 160 may perform theidentification of the smart card in block 520. In an alternativeembodiment, the withdrawal transaction occurs when the contactlessdevice 120 is without network 140 access. In this embodiment, thecontactless device 120 may perform the identification of the smart cardin block 520 and store the card identification information andtransaction history to be transmitted to the remote system 160 at alater time.

In block 573, the remote system 160 authorizes and certifies thewithdrawal record using the cashier signing key 167. In an exemplaryembodiment, the remote system 160 reviews the signed withdrawal requestand authorizes the cashier access key 129 signature. The remote system160 accesses a master key to confirm that authenticity of the cashieraccess key 129 signature. In an alternative exemplary embodiment, theremote systems 160 may review additional details, such as the number oftransactions performed during the session, any geographic locationrestraints, any restrictions on size or amount of withdrawals allowed,and/or any additional possible restraints placed on the cashier accesskey 129 to confirm the key is active.

In an exemplary embodiment, the withdrawal transaction occurred whilethe contactless device 120 had network 140 access and the contactlessdevice 120 transmits the certified withdrawal record to the smart card110. In an alternative exemplary embodiment, the withdrawal transactionoccurred offline, without network 140 access and the certifiedwithdrawal record is not transmitted to the smart card 110 until thenext transaction that occurs during network 140 access. In an exemplaryembodiment, the certified withdrawal record comprises the new sum ofwithdrawals, the card identification, a time stamp, a merchantidentification, a signature by the cashier access key 129 andcertification by the cashier signing key 167.

After the withdrawal transactions are certified, the remote system 160analyzes and synchronizes the transactions, in block 270, which issimilar to the block 270 referenced in FIG. 2. In an exemplaryembodiment, this action occurs in real-time with (in other words,immediately after) the transmission of the transactions to the remotesystem 160. In an alternative exemplary embodiment, this action occursat a later time or at a set durational time period (for example, onceevery 24 hours). The method 270 of synchronizing smart card 110transactions on the remote system 160 is described in more detailhereinafter with reference to the methods described in FIG. 7.

In an exemplary embodiment, a transaction made by mistake, may bereverted by a merchant. The merchant sends the original transactionidentification to the remote system 160 and requests reversion of thetransaction. In an exemplary embodiment, the remote system 160 creates anew transaction for the same amount, but as an opposite type oftransaction (for example, to revert a withdrawal, the transaction typewould be a deposit). The original transaction is still maintained in thetransaction history, but the smart card 110 balance is corrected thenext time the smart card is connected to a contactless device 120 withnetwork 140 access to the remote system 160.

In block 575, the secure communication channel is terminated, and themethod 500 ends.

FIG. 7 is a block flow diagram depicting a method for synchronizingsmart card 110 transactions on a remote system 160 according to anexemplary embodiment, as referenced in block 270 of FIGS. 2 and 5. Themethod 270 is described with reference to the components illustrated inFIG. 1.

The remote system 160 performs an analysis and synchronization of thesmart card 110 transaction history received from the contactless device120. In an exemplary embodiment, the remote system 160 performs theanalysis when the transaction history is transmitted. In an alternativeexemplary embodiment, the analysis is performed at set time intervals(for example, once every 24 hours). Because the deposit transactions arecompleted with network 140 access, an analysis of the deposittransactions is not required, as those deposit transactions are updatedin the remote system 160 in real-time. In an alternative exemplaryembodiment, an analysis of the withdrawal and deposit transactions isperformed.

In block 710, the remote system 160 reads the withdrawal transactions,sorted by the sum of withdrawals. For example, in an exemplaryembodiment:

−,0→W1

−,W1→W2

−,W2→W3

. . .

−,W(n−1)→W(n), where “W” is a withdrawal transaction.

In block 720, the remote system 160 determines whether a gap existsbetween adjacent withdrawal transactions.

If a gap exists between adjacent transactions, the remote system 160determines whether transaction records are missing and a synchronizationis needed, in block 730. For example, the following sum of withdrawalrecords indicate a missing transaction:

−,0→4

−,4→12

−,19→21 (missing transaction between 12 and 19).

Thus, the remote system 160 has information indicating the current sumof withdrawals for the smart cart 110 (which sum is 21), even though theremote system 160 does not have a transaction record (−,12→19)corresponding to the withdrawal of 7 from the smart card 110. Thismissing record scenario is indicative of an offline transaction(−,12→19) occurring between two online transactions (−,4→12 and−,19→21). Alternatively, one or both of the transactions bounding themissing transaction could have occurred offline and have since beencommunicated to the remote system 160 when the corresponding contactlessdevice 120 obtained network 140 access to the remote system 160.Additionally, because the sum of withdrawals maintained on the card iscurrent, even after an offline transaction, the balance of the card canbe determined at the point of sale for the next merchant.

Synchronization will occur when the transaction record for the missingtransaction is communicated to the remote system 160, which occurs whenthe corresponding contactless device 120 obtains network 140 access tothe remote system 160. Then, the remote system 160 can analyze thetransaction history to determine that all transaction records areincluded.

The sum of deposits could be analyzed in a similar manner if a deposittransaction is allowed to be performed offline.

From block 730, the method 270 proceeds to block 750.

Referring back to block 720, if a gap does not exist in adjacenttransactions, the remote system 160 determines all records are presentin block 740. From block 740, the method 270 proceeds to block 750.

In block 750, the remote system 160 determines whether overlappingtransactions exist in the transaction history for the smart card 110.

If overlapping transactions exist, the remote system 160 determines anerror has occurred (for example, a withdrawal occurred without writing arecord to the smart card 110), in block 760. For example, the followingillustrates an overlapping transaction:

-   -   −,0→4    -   −,4→12    -   −,4→8 (overlapping transaction as two transactions begin with a        sum of withdrawals of −4).

If an overlapping transaction exists, the method 270 proceeds to block760 in which the remote system 160 reports an error in the transactionhistory for the smart card 110 and deactivates the smart card 110 fromfurther use.

Referring back to block 750, if overlapping transactions do not exist,the method 270 proceeds to block 770. In block 770, the remote system160 determines errors do not exist.

From blocks 760 or 770, the method 270 proceeds to block 280 of FIG. 2or block 575 of FIG. 5, as appropriate.

In an exemplary embodiment, the remote system 160 maintains a list ofblocked (deactivated) smart cards 110. The device reader 150 andcontactless device 120 receive a list of blocked smart cards 110 whenconnected to the remote system 160. Transaction requests from a blockedsmart card 110 are rejected.

General

Users may be allowed to limit or otherwise affect the operation of thefeatures disclosed herein. For example, users may be given opportunitiesto opt-in or opt-out of the collection or use of certain data or theactivation of certain features. In addition, users may be given theopportunity to change the manner in which the features are employed,including for situations in which users may have concerns regardingprivacy. Instructions also may be provided to users to notify themregarding policies about the use of information, including personallyidentifiable information, and manners in which each user may affect suchuse of information. Thus, information can be used to benefit a user, ifdesired, through receipt of relevant advertisements, offers, or otherinformation, without risking disclosure of personal information or theuser's identity.

One or more aspects of the exemplary embodiments may include a computerprogram that embodies the functions described and illustrated herein,wherein the computer program is implemented in a computer system thatcomprises instructions stored in a machine-readable medium and aprocessor that executes the instructions. However, it should be apparentthat there could be many different ways of implementing the exemplaryembodiments in computer programming, and the exemplary embodimentsshould not be construed as limited to any one set of computer programinstructions. Further, a skilled programmer would be able to write sucha computer program to implement an embodiment based on the appended flowcharts and associated description in the application text. Therefore,disclosure of a particular set of program code instructions is notconsidered necessary for an adequate understanding of how to make anduse the exemplary embodiments. Moreover, any reference to an act beingperformed by a computer should not be construed as being performed by asingle computer as the act may be performed by more than one computer.

The exemplary systems, methods, and blocks described in the embodimentspresented previously are illustrative, and, in alternative embodiments,certain blocks can be performed in a different order, in parallel withone another, omitted entirely, and/or combined between differentexemplary methods, and/or certain additional blocks can be performed,without departing from the scope and spirit of the invention.Accordingly, such alternative embodiments are included in the inventiondescribed herein.

The invention can be used with computer hardware and software thatperforms the methods and processing functions described above. As willbe appreciated by those having ordinary skill in the art, the systems,methods, and procedures described herein can be embodied in aprogrammable computer, computer executable software, or digitalcircuitry. The software can be stored on computer readable media. Forexample, computer readable media can include a floppy disk, RAM, ROM,hard disk, removable media, flash memory, memory stick, optical media,magneto-optical media, CD-ROM, etc. Digital circuitry can includeintegrated circuits, gate arrays, building block logic, fieldprogrammable gate arrays (“FPGA”), etc.

Although specific embodiments of the invention have been described abovein detail, the description is merely for purposes of illustration.Various modifications of, and equivalent blocks corresponding to, thedisclosed aspects of the exemplary embodiments, in addition to thosedescribed above, can be made by those having ordinary skill in the artwithout departing from the spirit and scope of the invention defined inthe following claims, the scope of which is to be accorded the broadestinterpretation so as to encompass such modifications and equivalentstructures.

What is claimed is:
 1. A computer-implemented method for processing awithdrawals of funds during offline payment processing of purchases,comprising: starting a payment session by a mobile communication device;establishing, by the mobile communication device, a network connectionwith a computer managing smart card device accounts; receiving, by themobile communication device, a session access key from, the computermanaging the smart card device accounts; establishing, by the mobilecommunication device, a communication channel with a smart card devicewhile the mobile communication device is without a network connection tothe computer managing the smart card device accounts; receiving, by themobile communication device and from the smart card device, a smart carddevice transaction history comprising a listing of previous deposittransactions and a listing of previous withdrawal transactions;calculating, by the mobile communication device, an amount of previouswithdrawals using the listing of previous withdrawal transactions and anamount of previous deposits using the listing of previous deposittransactions; authorizing, by the mobile communication device andwithout a network connection to the computer managing the smart carddevice accounts, an offline debit transaction by determining that acurrent transaction amount is less than or equal to a difference betweenthe amount of previous deposits and the amount of the previouswithdrawals; creating, by the mobile communication device, an offlinewithdrawal transaction record subtracting the current transaction amountfrom a smart card device account balance; signing, by the mobilecommunication device, the withdrawal transaction record using thesession access key; and writing, by the mobile communication device, thesigned withdrawal transaction record to the smart card devicetransaction history, the signed withdrawal transaction record indicatingthe current transaction amount debited from the smart card deviceaccount balance and the session access key signature.
 2. Thecomputer-implemented method of claim 1, further comprising:establishing, by the mobile communication device, a second networkconnection with the computer managing the smart card device accountsafter completing the offline debit transaction with the smart carddevice, without the network connection to the computer, andtransmitting, by the mobile communication device, the smart card devicetransaction history and the signed withdrawal transaction record to thecomputer managing the smart card device accounts after establishing thenetwork connection.
 3. The computer-implemented method of claim 1,wherein the session access key comprises a teller access key allowingthe mobile communication device to perform debit transactions with smartcard devices that have smart card device accounts managed by thecomputer without a network connection to the computer.
 4. Thecomputer-implemented method of claim 1, wherein the session access keyhas a maximum quota of allowed debit transactions, wherein the maximumquota allowed comprises one of a maximum number of transactions allowedper session, a maximum time period for the session, a maximum amount ofmoney per transaction, and a maximum amount of money per session.
 5. Thecomputer-implemented method of claim 1, where a new session access keyis required for each new payment session started by the mobilecommunication device.
 6. The computer-implemented method of claim 1,wherein calculating the amount of previous deposits comprises: sortingdeposit transactions in order of deposit from a previous deposit D(n−1)to a latest deposit D(n); and reviewing the latest deposit transactionto identify the amount of previous deposits.
 7. The computer-implementedmethod of claim 1, wherein calculating the amount of previouswithdrawals comprises: sorting withdrawal transactions in order ofwithdrawal from a previous withdrawal W(n−1) to a latest withdrawalW(n); and reviewing the latest withdrawal transaction to identify theamount of previous withdrawals.
 8. The computer-implemented method ofclaim 2, further comprising: receiving, by the computer managing thesmart card device accounts and from the mobile communication device, thesmart card device transaction history and the withdrawal transactionrecord; processing, by the computer managing smart card device accounts,the withdrawal transaction record by verifying an identity of the smartcard device, verifying the session access key signature, and calculatinga new sum of withdrawals for the smart card device, the new sum ofwithdrawals equaling a previous sum of withdrawals plus the debitedamount; certifying, by the computer managing smart card device accounts,the withdrawal transaction record with a signing key; and updating, bythe computer smart card device accounts, an account associated with thesmart card device with the certified withdrawal transaction record andnew listing of withdrawal transactions.
 9. The computer-implementedmethod of claim 8, further comprising transmitting, by the computermanaging smart card device accounts, the certified withdrawaltransaction record to a second mobile communication device fortransmission to the smart card device during a second transaction. 10.The computer-implemented method of claim 1, further comprising storing,by the mobile communication device, the smart card device transactionhistory and the withdrawal transaction record until the mobilecommunication device has a second network connection with the computermanaging smart card device accounts.
 11. The computer-implemented methodof claim 1, wherein the smart card device transaction history furthercomprises a smart card account number and a verification number.
 12. Amobile communication device comprising: a non-transitorycomputer-readable medium having computer-readable program instructionsembodied therein that when executed by a computer cause the computer toperform the steps of: receiving a session access key via a networkconnection from a computer managing smart card device accounts;establishing, by a mobile communication device, a communication channelwith a smart card device while the mobile communication device iswithout a network connection to the computer managing the smart carddevice accounts; receiving, from the smart card device, a smart carddevice transaction history comprising a listing of previous deposittransactions and a listing of previous withdrawal transactions;calculating an amount of previous withdrawals using the listing ofprevious withdrawal transactions and an amount of previous depositsusing the listing of previous deposit transactions; authorizing, withouta network connection to the computer managing the smart card deviceaccounts, an offline debit transaction by determining that a currenttransaction amount is less than or equal to a smart card device accountbalance calculated using an amount of previous deposit transactions andan amount of the previous withdrawal transactions received in thetransaction history; creating an offline withdrawal transaction recordsubtracting the current transaction amount from a smart card deviceaccount balance; signing the withdrawal transaction record using thesession access key; and writing the signed withdrawal transaction recordto the smart card device transaction history, the signed withdrawaltransaction record indicating the current transaction amount debitedfrom the smart card device account balance and the session access keysignature.
 13. The mobile communication device of claim 12, furthercomprising the steps of: establishing a second network connection withthe computer managing the smart card device accounts after completingthe offline debit transaction with the smart card device without thenetwork connection to the computer, and transmitting the smart carddevice transaction history and the signed withdrawal transaction recordto the computer managing the smart card device accounts afterestablishing the network connection.
 14. The mobile communication deviceof claim 12, wherein the session access key comprises a key allowing themobile communication device to process withdrawals of funds duringoffline payment processing of purchases with smart card devices thathave smart card device accounts managed by the computer without anetwork connection to the computer.
 15. The mobile communication deviceof claim 12, wherein the session access key has a maximum quota ofallowed debit transactions, wherein the maximum quota allowed comprisesone of a maximum number of transactions allowed per session, a maximumtime period for the session, a maximum amount of money per transaction,and a maximum amount of money per session.
 16. The mobile communicationdevice of claim 12, further comprising the step of storing the smartcard device transaction history and the withdrawal transaction recorduntil the mobile communication device has a second network connectionwith the computer managing smart card device accounts.
 17. A system forprocessing withdrawals of funds during offline payment processing ofpurchases, comprising: a mobile communication device processor; and astorage device comprising hardware storing executable instructions thatwhen executed by the processor cause the processor to execute the stepsof: establishing, by a mobile communication device, a communicationchannel with a smart card device while a mobile communication device iswithout a network connection to a computer managing smart card deviceaccounts; receiving, from the smart card device, a smart card devicetransaction history comprising a listing of previous deposittransactions and a listing of previous withdrawal transactions;calculating an amount of previous withdrawals using the listing ofprevious withdrawal transactions and an amount of previous depositsusing the listing of previous deposit transactions; authorizing, withouta network connection to the computer managing the smart card deviceaccounts, an offline debit transaction by determining that a currenttransaction amount is less than or equal to a smart card device accountbalance calculated using an amount of previous deposit transactions andan amount of the previous withdrawal transactions received in thetransaction history; creating an offline withdrawal transaction recordsubtracting the current transaction amount from a smart card deviceaccount balance; signing the withdrawal transaction record using asession access key; and writing the signed withdrawal transaction recordto the smart card device transaction history, the signed withdrawaltransaction record indicating the current transaction amount debitedfrom the smart card device account balance and the session access keysignature.
 18. The system of claim 16, wherein the processor is furtherconfigured to execute instructions stored in the storage device to causethe processor to execute the steps of: establishing a second networkconnection with the computer managing the smart card device accountsafter completing the offline debit transaction with the smart carddevice without the network connection to the computer, and transmittingthe smart card device transaction history and the signed withdrawaltransaction record to the computer managing the smart card deviceaccounts after establishing the network connection.
 19. The system ofclaim 16, wherein the session access key comprises a key allowing themobile communication device to process withdrawals of funds duringoffline payment processing of purchases with smart card devices thathave smart card device accounts managed by the computer without anetwork connection to the computer.
 20. The system of claim 16, whereinthe session access key has a maximum quota of allowed debittransactions, wherein the maximum quota allowed comprises one of amaximum number of transactions allowed per session, a maximum timeperiod for the session, a maximum amount of money per transaction, and amaximum amount of money per session.